Wikipedia

Talk:Yahoo! data breaches

Latest comment: 1 hour ago by Schierbecker in topic GA Review
Learn more about this page

Thank You edit

Latest comment: 7 years ago1 comment1 person in discussion

I just wanted to post a quick note of appreciation to the many editors who contributed to this article. Thanks to everyone's efforts it was linked on the Main Page (in WP:ITN) barely a day after creation. Well done. -Ad Orientem (talk) 20:10, 24 September 2016 (UTC)Reply

Mention of PRISM and MUSCULAR on "Events" Section edit

Latest comment: 7 years ago4 comments4 people in discussion

I think the last paragraph of the Events section, about other actors having access to Yahoo´s data (meaning PRISM and MUSCULAR programs) is quite misleading as these are a different kind of data breachs. Maybe we could move this to the article´s ending in the "See also" section? Javier Jelovcan (talk) 12:56, 28 September 2016 (UTC)Reply

@Javier Jelovcan: How are these different kinds of data breaches? It seems that the only two differences are that those programs also breached into the content of email-accounts and not just the account-info (not enough to breach into most yahoo accounts and thereby gain access to the content) and that it wasn't self-reported by Yahoo but instead was disclosed by a whistleblower's leaks. However, while I do think that this information needs to be included in the article I too think that the "Events" section might be a bit inappropriate - it's not really part of the events of this breach. So either the section needs to be renamed (e.g. to "Background" or alike) or a new section needs to be set up.
--Fixuture (talk) 17:09, 30 September 2016 (UTC)Reply

Just want to agree with Javier that these breaches seem quite separate. As a casual reader, it felt like the article was trying to make a political point. The government breaches probably don't belong in this article. People reading this article are interested in the specific breaches cited in the news recently, not in "every time that Yahoo user data has been compromised". — Preceding unsigned comment added by 2600:1017:B425:8ED4:5D1E:F33C:6EC9:9CCF (talk) 16:44, 2 October 2016 (UTC)Reply

Well, I happen to agree with the inclusion of the mentions. If a government actor is mentioned, it should be made clear to what extent various such actors are already involved, as part of general context. Samsara 01:40, 4 October 2016 (UTC)Reply

It's actually 2 breaches that have been disclosed: 2012 and 2014 edit

Latest comment: 7 years ago3 comments3 people in discussion

While the article is named Yahoo! data breach it seems that 2 separate breaches were publicized more or less at the same time:

  • one occurred in 2014, encompasses the account info of ~500.000.000 user accounts, with no data being public or sold, is said to be state-sponsored, and is the main subject of most news reports and this article
  • the other occurred in 2012, encompasses the account info of ~200.000.000 user accounts, with the data being sold on the TheRealDeal for bitcoins worth less than $2000, could possibly state-sponsored as well with the sale of the data being done with a profit/criminal motive by an individual hacker according to said vendor, and is only mentioned in most news reports and this article

Not sure if those 2 breaches are in any way related (e.g. by motivation, by attacker, by method used in the breach etc.). I'm also not sure whether or not Yahoo has confirmed this breach to date. Maybe they try to damage control by only confirming the larger breach and trying to only imply that the previous breach occurred as well without explicitly confirming it?

So what should be done here?
Should the article be renamed to sth like "Yahoo! data breaches" or "2014 and 2012 Yahoo! data breaches" or "Yahoo! data breaches revealed in 2016"...?
Or should there be a new article for the 2012 breach? (And if so: what about the other social media accounts "Peace_of_mind" is selling? It looks like those sites were breached as well.)
Or nothing at all?

--Fixuture (talk) 17:26, 30 September 2016 (UTC)Reply

For now, the two breaches should have clearly delineated and headlined sections. Once that's been achieved, it'll be easier to decide whether a split of the article is appropriate or not. Samsara 22:37, 1 October 2016 (UTC)Reply
The 2012 breach apparently refers to the 2012 LinkedIn hack. FallingGravity 21:06, 16 December 2016 (UTC)Reply

Open questions edit

Latest comment: 7 years ago2 comments2 people in discussion

There are a number of open questions I'd like to know the answers to if anybody has them (or can help find the answers to; Yahoo should have provided them already or clearer):

  • Were the passwords properly salted with a proper (long enough etc) salt per every user?
  • What do they mean with "encrypted or unencrypted security questions and answers"? Were they properly encrypted or not? If some weren't: which and how many users are affected?
  • How were the minority of passwords hashed that weren't hashed with bcrypt?
  • Is the country suspected by Yahoo Russia? Or is it another country (which?)? Or do they have no clue which country it is but only that it was state-sponsored?
  • Except of the professionality of the breach are there any other clues that point to a state-sponsored actor?
  • Did Yahoo notice any unusual activity such as what one would expect once the data reached criminal hands? (e.g. anything related to mass attempts of gaining access to accounts by answers to security-questions).
  • Why didn't Yahoo notify its users of the breaches? Weren't they knowledgable of the hack in 2014 already as "at the time of the 2014 attack, Yahoo executives were said to have concluded that it was linked to Russia, because it was launched from computers in Russia" ( http://www.wsj.com/articles/yahoo-executives-detected-a-hack-tied-to-russia-in-2014-1474666865 )?
  • How was the data encrypted? Was it encrypted? If not why?

Note that these open questions may also be included in the article if they were/are not answered.

--Fixuture (talk) 18:06, 30 September 2016 (UTC)Reply

Strictly speaking, we can't raise questions that aren't raised in reliable sources. If you can't find these questions raised elsewhere, maybe get in touch with Ars Technica, Wired or any similar publication to see if they'll accept an editorial contribution from you. Once that's published, there should be no question that we can cite it. I know it's silly, but that's how the current model works. If you want some help writing such a piece, let me know. HTH, Samsara 22:56, 1 October 2016 (UTC)Reply

Another data breach edit

Latest comment: 7 years ago3 comments2 people in discussion

There are reports of some 1 billion odd accounts (New York Times, Wall Street Journal, TechnoBuffalo, and more). This appears to be a different breach than the one the article currently covers. We could either incorporate this into the current article and rename it "Yahoo! data breaches" or move the current article to "2014 Yahoo! data breach" and create a new article 2013 Yahoo! data breach. However, as mentioned above, the current article also covers a 2012 data breach. I guess if this keeps up we'll see a data breach from Yahoo! every year. FallingGravity 02:41, 15 December 2016 (UTC)Reply

Given the extent to which reliable sources are reporting on the separate incidents together (focusing on the underlying vulnerabilities and combined impact on the company and on the public), I favor expanding this article and renaming it Yahoo! data breaches. —David Levy 03:34, 15 December 2016 (UTC)Reply
Since it's believed to be the same "state actors", I'm going ahead and moving it to "Yahoo! data breaches". There still isn't that much info about the new hack in the article yet. FallingGravity 09:39, 15 December 2016 (UTC)Reply

Removed info on the 2012 breach edit

Latest comment: 7 years ago2 comments2 people in discussion

A few days ago User:FallingGravity removed the "2012 breach" section, saying that it's about the 2012 LinkedIn hack.

While that's correct the section also contained information on the breach that apparently occurred in 2012. As of right now the "July 2016 discovery" section contains parts of that now-removed section. However there is no section "2012 breach" despite there apparently being a third breach and it's missing much info that was previously found in the removed section such as the motivation of the hackers and the use of the data.

Should parts of it be restored? If so how (should the section be renamed, left as it is or a new section get added)?

--Fixuture (talk) 18:15, 2 January 2017 (UTC)Reply

No, it should be kept out. The only connection to the 2012 LinkedIn hack is that there is the same black market seller involved in both. It's necessary to name this seller (and his connection to the 2012 hack) because awareness of this data led to the discovery of these larger breaches. The 2016 discovery section properly alludes to the seller's roll in the 2012 hack, but that's all that's needed. --MASEM (t) 18:19, 2 January 2017 (UTC)Reply

Article Frustratingly Lacks Basic Information edit

Latest comment: 4 years ago1 comment1 person in discussion

There does not appear to be even the most basic information posted related to this. Breach could mean anything, obviously it's implied credentials to the accounts were gained, but then what was done?

I assume passwords and contact information was downloaded for every account. What about individual emails, did the hackers download every email?

Did they download location information?

Contact Lists?

Calendar Appointments?

Where is the information — Preceding unsigned comment added by 108.29.37.45 (talk) 18:27, 8 February 2020 (UTC)Reply

GA Review edit

Latest comment: 1 month ago6 comments2 people in discussion
Unsuccessful. Sohom (talk) 17:22, 31 March 2024 (UTC)Reply

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

GA toolbox
Reviewing
This review is transcluded from Talk:Yahoo! data breaches/GA1. The edit link for this section can be used to add comments to the review.

Nominator: Joereddington (talk · contribs) 05:53, 27 March 2024 (UTC)Reply

Reviewer: Sohom Datta (talk · contribs) 06:52, 31 March 2024 (UTC)Reply

Another security article in GA finally! I'll take this on tmrw, feel free to ping liberally in case I forget. Sohom (talk) 06:52, 31 March 2024 (UTC)Reply

Awesome. I just gave bit a bit of a check over and sorted out a bunch of typos that snuck in :) Joe (talk) 11:37, 31 March 2024 (UTC)Reply

Review edit

Giving this an initial read, this is unfortunately going to have to be a quick fail since as it currently stands the article is a pretty long way from meeting the official good article guidelines. Particularly,

  • There are multiple issues with the prose of the article and a through copyedit before the article can be considered for a GA. (WP:GACR, 1a, 1b)
    • Firstly, the article is formatted to have a lot of one or two sentence paragraphs. This is generally discouraged by the style guidelines (see WP:PROSELINE) and should be avoided
    • Citations present in the lede should be removed unless extraordinary claims are made that are not already cited in the body of the article. (see WP:LEDECITE)
    • The lede must also summarize and provide a clear overview of the subject matter, the current lede makes not mention of the 2016-2017 period and the motivations behind the crime
    • There are even a few places where the sentences are even missing punctuations and/or are spaced weirdly or are weirdly phrased.
    • Sentences like Yahoo! officially reported the 2014 breach to the public on September 22, 2016 (during the last few weeks of Presidential election campaigning, which some commenters described as "a good day to bury the news,") should be avoided. While I understand that the article is by it's very nature somewhat negative towards Yahoo, we should represent the facts in a straightforward encyclopedic manner and not try to make unnecessary connections that make a particular person/entity look bad. (see WP:YESPOV)
    • In general, phrases like "some experts", "some commenters" etc are to be avoided. These are considered weasel words, if you need to quote somebody, quote them directly and mention who the publisher is.
    • It is often useful to provide some context about specific attackers, for example, for this line As part of this process, the hackers enlisted Karim Baratov to break into accounts on other platforms. I'm left confused as to who Karim Baratov is and why they were enlisted.
    • Lastly, I don't think you need to always end Yahoo! with a exclamation mark every time. Just Yahoo should be fine.
  • The article is also missing citations on a few sentences, for a GA, all text needs to be cited. (WP:GACR, 2b)

I think most of these issues can be solved by rewriting the article with some help from WP:GOCE. The sourcing behind the article is strong, and I definitely think a GA is within reason. I hope to see this article back at GA once the issues mentioned are fixed. Sohom (talk) 17:22, 31 March 2024 (UTC)Reply

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

GA Review edit

Latest comment: 1 hour ago12 comments2 people in discussion
GA toolbox
Reviewing
This review is transcluded from Talk:Yahoo! data breaches/GA2. The edit link for this section can be used to add comments to the review.

Nominator: Joereddington (talk · contribs) 06:34, 2 April 2024 (UTC)Reply

Reviewer: Schierbecker (talk · contribs) 18:17, 22 April 2024 (UTC)Reply


This article appears to still be a little ways off from GA.

  • The lede name-drops Karim Baratov in the lede, but doesn't identify his profession or nationality.
    • Fixed. :)
  • When did Yahoo contact law enforcement?
  • How did Yahoo come to learn about the breaches?
    • Per the above, there's a suggestion that they were informed by law enforcement, there's a suggestion that they found out about it from press asking about account data being available on the dark web, and there's a suggestion in a press release that they were doing their own investigation. I've not been able to find reliable sources that cover it. Their filing at https://web.archive.org/web/20170110014942/https://investor.yahoo.net/secfiling.cfm?filingID=1193125-16-764376&CIK=1011006 says "In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders."


  • What effects did the 2013 breach have on users/Yahoo? When was this discovered? This breach affected six times as many accounts but there is hardly any information about it. Was it less sensitive in nature?
    • You are right. It's massive and it was broadly ignored (I mean, there was a congressional hearing but it found nothing of substance) I was extremely pleased I was able to find a source positively saying the negative: i.e. that Yahoo had released no information.
  • at least two others accessed user account information connected to Belan?
    • Fixed.
  • Yahoo also claimed that there was no evidence that the attackers were still in the system Was this proven? Article suggests otherwise.
  • From October 2014 to at least November 2016, Belan and at least two others accessed user account information Using the fruits of the 2014 breach?
    • Yes, that is the understanding. I can make this a bit more obvious in the text if you like?
  • The filing noted that the company believed the data breach had been conducted through a cookie-based attack The September filing or the November filing?
    • Fixed (The November filing of finances covering the period up to the 30th September) I've also clarified some of the nearby language.
  • it was reported that account names and passwords for about 200 million Yahoo accounts were presented for sale on the darknet market site. Which darknet site? Was this related to the 2014 breach? Do we know if anyone purchased them?
    • I'm a little confused by the first bit of the question - the darknet site is 'The Real Deal' but that's already in the text so I might need some clarity. Regarding the other questions: Yahoo hasn't released any information about which breach it might have been related to (or even if it's real), and I don't believe I have any sources covering if it was purchased.
  • Did Russia cooperate with the investigation? Was the FSB organization implicated as a whole or was this the work of agents doing unsanctioned work for the FSB on their own initiative (or even moonlighting off the clock for their own personal gain)? Which accounts did the FSB agents target. (edit: Dmitry Dokuchaev was one of those charged. He has a Wikipedia article. He should be mentioned by name. Maybe Igor Anatolyevich Sushchin too.)
    • I've linked both Igor_Sechin and Dmitry Dokuchaev. Sadly I don't have any sources from the FSB about how they feel. We have some light information about the FSB agents targeting 'people of interest to the regime' but nothing that really produces content (and I think it would be a magnet for some fringe contributions)

  On hold pending improvements. Schierbecker (talk) 18:17, 22 April 2024 (UTC)Reply

Wonderful! Thank you so much for your review. I'll pop back shortly to do proper replies/fixes - I suspect that the answer to some of your questions is "Yahoo refuses to give any information about this and thus there are no relable sources one way or the other", but I can make some changes on the basis of this :) Joe (talk) 12:04, 23 April 2024 (UTC)Reply
Right, I've fixed an array of things and replied to all comments. Apologies for how many of the answers are "There isn't really a source for that" I did do quite a bit of digging... Joe (talk) 18:49, 24 April 2024 (UTC)Reply
Hi, can I check in and see what's left to do? I'm aware that the clock is ticking and I don't want to miss out on the GA because I forgot to response to a particular comment :) Joe (talk) 06:42, 27 April 2024 (UTC)Reply
It appears that Igor Sushchin is linked to the wrong guy. Will take a look tomorrow. Schierbecker (talk) 07:22, 27 April 2024 (UTC)Reply
Definately the wrong guy (his age is about ten years different on the indictment compared to the wiki article) Joe (talk) 19:10, 30 April 2024 (UTC)Reply
I've used this source now :)
I've used this source now :)
I found a paragraph I'd removed previously and resurrected it (with your excellent source above)
  • Alexey Belan linked twice. Also who is he? Give a brief background. How did he escape prosecution? Where is he believed to be? Did the U.S. request his extradition? WP:BLPCRIME applies. Make sure that all unproven allegations are presented as such.
So I'm a little nervous here. On the one hand I don't want to add much content for exactly BLPCRIME reasons - all that we actually know is that he's been accused. The other problem is that Belan's own Wikipedia article is magnificently low on content. We could say that he was last known to be in Krasnodar Russia (per https://www.fbi.gov/wanted/cyber/alexsey-belan) but the major issue there is that page is showing signs of having barely been updated since before the breach... Is this in one of the GA criteria or is this more of a 'nice to have' thing? Joe (talk) 11:10, 1 May 2024 (UTC)Reply
I guess we don't know for sure that he fled? Just that his last known location was in Russia? You could say that. Just make sure to attribute this to the FBI. Use Internet Archive to lock down when the FBI said this. Schierbecker (talk) 15:38, 1 May 2024 (UTC)Reply
  • When was the August 2013 breach disclosed?
Fixed :)
I think this is done, I'm not sure. :)
  • Use MOS:DATECOMMA. This article is specific to the U.S., therefore it is obvious we are dealing with U.S. currency. MOS:$.
Done :)
  • [[tq|Judge Koh rejected the settlement offer,}} Need his first name. In this case I don't think his name is important, so it can just be removed.
Done :)

Schierbecker (talk) 20:57, 30 April 2024 (UTC)Reply

  • Former CEO Marissa Mayer Should say "Former CEO Marissa Mayer, who was CEO at the time of the breach"
  • Heading should be in sentence case per MOS:HEAD
  • wl Article 29 Data Protection Working Party. Unquote, as it is a proper name. Wl names in image captions. It's not considered overlink. Briefly describe each individual and their relevance to the matter in the captions.
  • His memoir, written after his release, Try "His memoir published in YEAR".
  • Did Yahoo lose users over this? They had somewhat of an IBM-esque mojo about them: They were bleeding users before this but were mounting a come-back. They had recently purchased Flickr. I remember Mayer being this sort of Sheryl Sandberg-type figure girl boss who went from hero to zero. (did her resignation have anything to do with the security issues Yahoo had under her watch?)
  • What nationality is Yahoo?
  • Yahoo would be more readable in running text if it did not have punctuation.
  • Probably no reason to mention the name of the credit-monitoring service Yahoo offered its users.
  • Should mention Dokuchaev was under arrest in Russia at the time of the indictment.
  • In a letter to Mayer, six Democratic U.S. Senators Did she respond?
  • Before trial could commence Before the trial?
  • enlisted a Canadian hacker, Karim Baratov, to break into accounts Try "enlisted Canadian hacker Karim Baratov to break into accounts"
  • In June 2016, it was reported that account names and passwords for about 200 million Yahoo accounts Try "In June 2016 account names and passwords for about 200 million Yahoo accounts were listed for sale" on the darknet market site TheRealDeal." No comma before TheRealDeal. The source says "supposed credentials". Did further investigation substantiate whether this was real? Was "Peace"'s identity ever tied to an individual (or is alleged to be an individual) named in the FBI's indictment or in other inquiries? See p. 1271 in that pdf. Here Peace seems to claim he's just a data broker and is unsure of the providence of the material, saying it may have been from 2012. It's unclear if this alleged breach is one of the two this article deals with or a third breach.
  • wl/define the type of attacks used in this breach. Was Cookie poisoning used? I believe I've also seen the term "spear phishing" used to describe what Baratov did. Is there a glossary or wiktionary entry to link to?
  • In late November, Ireland's Data Protection Commissioner (DPC) This sentence could be split up. Yahoo was not investigating the breach but just examining it What's a better way of saying this? That the DPC was unsatisfied with the thoroughness of Yahoo's investigation? awaiting information from Yahoo on allegations that it helped the U.S. government scan users' emails, a whopper of an accusation. Was this allegation connected with either of the two breaches that this article talks about? If so, say so.
  • Worth mentioning? The New York Times reported Wednesday that Yahoo Chief Executive Marissa Mayer “had rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach."

Instead, Yahoo last week posted an alert on its website asking users who were potentially affected by the breach to “promptly change their passwords,” as well as any security questions and answers used to access their accounts. [1] I'll send a screenshot if you need.

  • Avoid language that is likely to become outdated.
  • Single quotes should only be used in news headlines and quotes within quotes.
  • CEO Lowell McAdam said he wasn't shocked by the hack CEO of what company? Did Verizon renogotiate the deal as a result of the disclosure, as suggested here?
  • Democratic is capitalized in one instance but not the other.
  • Yahoo eventually agreed to settle strike unnecessary word "eventually".
  • Identify nationality of Alexey Belan in body at first mention.
  • After Yahoo was identified by Edward Snowden as a frequent target for state-sponsored hackers, it took the company a full year before hiring a dedicated chief information security officer, Alex Stamos implies that Stamos was hired to shore up security as a result of the Snowden leak, which highlighted security weaknesses at Yahoo. Was that so? Also the way this was written implies that Yahoo was slow to act on the revelations and that his hiring was overdue? True?
  • More to follow.

Schierbecker (talk) 15:38, 1 May 2024 (UTC)Reply

Add topic
Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Yahoo!_data_breaches&oldid=1220259169"